g51jbsodfandomcom-20200215-history
BIOS disassembly
DISCUSSION AT http://forum.notebookreview.com/showthread.php?t=460583. SEE THE THROTTLING PAGE ABOUT THROTTLING. after running prime95 benchmarks with ACPI disabled, the throttling still occurs. 0x199 reports the requested is still 13, and clock modulation is disabled. this would rule out Intel's PowerManagement and ACPI as suspects. not sure where to go from here. ~thalanix 04:54, March 1, 2010 (UTC) Bi-Directional PROCHOT can be used by the hardware to switch the CPU to the lowest multiplier. For instance should the VRM or other connected hardware become too hot or under excessive load it may be possible for it to pull the PROCHOT signal down and throttle the CPU to the lowest multiplier. To see if this is the case it might be possible to run Prochot.exe during a time the CPU is being throttled and see if the multiplier returns to a higher state for the 5 seconds PROCHOT is disabled. Since PROCHOT control appears undocumented, this may or may not work with the CPU in the G51J or even cause the system to crash. Use at your own risk. Also be aware if the system is indeed being throttled by PROCHOT, disabling it may result in hardware failure ^you are our hero. <3 ~thalanix 17:57, March 1, 2010 (UTC). =Decompression= The BIOS is AMI Aptio UEFI and can be decompressed with the following technique. 1. Create a new folder. Put the BIOS .ROM image in it. 2. Download and put in the same new folder: fvdump.py, fsdump.py and UEFI_decompressor.exe (you will need to block your HTTP referrer with RefControl or similar to get the decompressor.) 3. Create a new batch file (decomp.bat) in the same folder: ECHO ON FOR %%i IN (dir *.compression) DO UEFI_decompressor %%i %%i.unpacked 4. Extract firmware volumes from .ROM: fvdump.py BIOS.ROM 5. For each firmware volume: fsdump.py firmware_volume_name 6. Decompress everything: decomp.bat decompressed BIOS: http://www.zshare.net/download/72844662c4392a02/, password is xa. There is also a tool to show a tree layout of the ROM: http://bios.rom.by/ROMutils/ROMpatcher/ROMpatcher44.zip =Disassembly= most PE executables in there are x64. open them using IDA (64bit), generic binary, disassemble in 64bit mode. data blocks are mostly in the end if at all, so up until the EFI warnings or un-code like chunks you can safely force convert to code (press c). disassembled ACPI(P)/PM: http://forum.notebookreview.com/attachment.php?attachmentid=46071&d=1267390891 DSDT: http://forum.notebookreview.com/attachment.php?attachmentid=45686&d=1266953862 =Notes= to-do list: 11d8ac35-fb8a-44d1-098d-0b5606d321b9.sec0.compression.unpacked -> DSDT (Not PE, not AML, not Tiano) 1314216c-cb8d-421c-54b8-06231386e642.sec1.compression.unpacked -> Platform Info DXE 161be597-e9c5-49db-50ae-c462ab54eeda.sec0.compression.unpacked -> SSDT (Not PE, not AML, not Tiano) 16d0a23e-c09c-407d-4aa1-ad058fdd0ca1.sec1.compression.unpacked -> ACPI 2374eddf-f203-4fc0-0ea2-61bad73089d6.sec1.compression.unpacked -> IOTrap 38871bf0-c64a-4896-e4b8-62d4850c7e68.sec1.compression.unpacked -> OEM SX SMM 441d8a48-a3e0-42af-bd89-842cf0487afa.sec1.compression.unpacked -> PPM Policy 899407d7-99fe-43d8-219a-79ec328cac21.sec1.compression.unpacked -> PEGA Setup 8b5fbabd-f51f-4942-16bf-16aaa38ae52b.sec1.compression.unpacked -> ACPI Platform 90cb75db-71fc-489d-cfaa-943477ec7212.sec1.compression.unpacked -> Smart Timer a2de77bb-797d-4bb5-c480-19aeb8b5cd29.sec1.compression.unpacked -> PEGA SMI a3eaab3c-ba3a-4524-c79d-7e339996f496.sec1.compression.unpacked -> PEGA RT a7c619ff-9a64-4a89-7b94-e7953e2427cb.sec1.compression.unpacked -> PEGA BS bfd59d42-fe0f-4251-72b7-4b098a1aec85.sec1.compression.unpacked -> ActiveBios cbc59c4a-383a-41eb-eea8-4498aea567e4.sec1.compression.unpacked -> Runtime d16fb508-be35-437f-ca9c-2ea65f13d08d.sec1.compression.unpacked -> Intelligent Power Sharing e03abadf-e536-4e88-a0b3-b77f78eb34fe.sec1.compression.unpacked -> CPU DXE VBIOS overclock mod GTX260M VBIOS: 0x2849B to 0x357DF GTX260M clock addresses (no nibitor support here): 0x34C1D (core), 0x34C1F (shaders), and 0x34C21 (mem) GTX260M voltage table header: 4B 49 20 06 02 04 at 0x34D9D, only 2 entries of .95 and .90v clock mod to 550/1375/950: http://forum.notebookreview.com/attachment.php?attachmentid=45896&d=1267227000 GTS360M VBIOS: 0x10686 to 0x25E8E idk why the 360m VBIOS is in here... =PowerManagement Analysis (old)= here is the first form of throttling we can investigate: CPU register reads/writes. my hunch was wrong, the 0x199 and 0x19A MSRs don't change during throttling. ~thalanix 19:42, February 26, 2010 (UTC) good call on the 64bit. it clears up the xrefs, but after some playing around with reading MSR's it's not what we're looking for. ~thalanix 21:25, February 28, 2010 (UTC) 3B2C: MSR read function seg000:0000000000003B2C sub_3B2C proc near ; CODE XREF: sub_1488+E�p seg000:0000000000003B2C ; sub_1918+9�p ... seg000:0000000000003B2C rdmsr seg000:0000000000003B2E shl rdx, 20h seg000:0000000000003B32 or rax, rdx seg000:0000000000003B35 retn seg000:0000000000003B35 sub_3B2C endp 3B36: MSR write function seg000:0000000000003B36 sub_3B36 proc near ; CODE XREF: sub_1488+24�p seg000:0000000000003B36 ; sub_1918+26�j ... seg000:0000000000003B36 mov rax, rdx seg000:0000000000003B39 sar rdx, 20h seg000:0000000000003B3D wrmsr seg000:0000000000003B3F retn seg000:0000000000003B3F sub_3B36 endp 3B0C: CPU identification function seg000:0000000000003B0C sub_3B0C proc near ; CODE XREF: sub_1574+40�p seg000:0000000000003B0C ; sub_1F74+15�p ... seg000:0000000000003B0C push rbx seg000:0000000000003B0D mov r8, rdx seg000:0000000000003B10 mov rax, rcx seg000:0000000000003B13 cpuid seg000:0000000000003B15 cmp r8, 0 seg000:0000000000003B19 jz short loc_3B2A seg000:0000000000003B1B mov r8, eax seg000:0000000000003B1E mov r8+4, ebx seg000:0000000000003B22 mov r8+8, ecx seg000:0000000000003B26 mov r8+0Ch, edx seg000:0000000000003B2A seg000:0000000000003B2A loc_3B2A: ; CODE XREF: sub_3B0C+D�j seg000:0000000000003B2A pop rbx seg000:0000000000003B2B retn seg000:0000000000003B2B sub_3B0C endp 193E: 0x19A 0x19A is the clock modulation register. it could be the next step of throttling. it's isolated from the 1AA/1A0/1FC writes, but close to the 0x199 write. logically, if the 199 write can/is be used as throttling then so can this. that also means if the 199 is _not_ for throttling, then this isn't either. we would probably be disabling TurboBoost or SpeedStep, but iirc those have their own control registers, and are managed at a lower level. note that this checks the fifth (enabled) bit, which is why it is written twice. seg000:0000000000001918 sub_1918 proc near ; CODE XREF: sub_19F8+81�p seg000:0000000000001918 seg000:0000000000001918 arg_0 = qword ptr 8 seg000:0000000000001918 seg000:0000000000001918 sub rsp, 28h seg000:000000000000191C mov ecx, 19Ah seg000:0000000000001921 call sub_3B2C seg000:0000000000001926 mov ecx, 19Ah seg000:000000000000192B mov rsp+28h+arg_0, rax seg000:0000000000001930 or dword ptr rsp+28h+arg_0, 10h seg000:0000000000001935 mov rdx, rsp+28h+arg_0 seg000:000000000000193A add rsp, 28h seg000:000000000000193E jmp sub_3B36 seg000:000000000000193E sub_1918 endp seg000:0000000000001944 seg000:0000000000001944 sub_1944 proc near ; CODE XREF: sub_19F8:loc_1A1C�p seg000:0000000000001944 seg000:0000000000001944 arg_0 = qword ptr 8 seg000:0000000000001944 seg000:0000000000001944 sub rsp, 28h seg000:0000000000001948 mov 19Ah seg000:000000000000194D call sub_3B2C seg000:0000000000001952 mov ecx, 19Ah seg000:0000000000001957 mov rsp+28h+arg_0, rax seg000:000000000000195C and dword ptr rsp+28h+arg_0, 0FFFFFFEFh seg000:0000000000001961 mov rdx, rsp+28h+arg_0 seg000:0000000000001966 add rsp, 28h seg000:000000000000196A jmp sub_3B36 seg000:000000000000196A sub_1944 endp 14AC: 0x199 something to note about this: 0x199 is the multiplier register, and this is the only occurence in all the files (assuming correctly disassembled) in which a write to this register occurs. seg000:0000000000001488 sub_1488 proc near ; CODE XREF: sub_14BC+39�p seg000:0000000000001488 ; DATA XREF: sub_14BC+4C�o seg000:0000000000001488 push rbx seg000:000000000000148A sub rsp, 20h seg000:000000000000148E mov rbx, rcx seg000:0000000000001491 mov ecx, 199h seg000:0000000000001496 call sub_3B2C seg000:000000000000149B movzx edx, word ptr rbx seg000:000000000000149E mov ecx, 199h seg000:00000000000014A3 and rax, 0FFFFFFFFFFFF0000h seg000:00000000000014A9 or rdx, rax seg000:00000000000014AC call sub_3B36 seg000:00000000000014B1 xor eax, eax seg000:00000000000014B3 add rsp, 20h seg000:00000000000014B7 pop rbx seg000:00000000000014B8 retn seg000:00000000000014B8 sub_1488 endp seg000:00000000000014B8 2252: unknown